Audit Report:

Model and
Sample

JOHN KYRIAZOGLOU
First published in July 2013
Updated in December 2014

Written and published John Kyriazoglou

Author of the following books:
(1) Business Management Controls: A Guide, www.itgovernance.co.uk.
(2) Business Management Controls: Toolkit, www.itgovernance.co.uk.
(3) 'IT Strategic & Operational Controls, www.itgovernance.co.uk/products/3066
(4) Other books:
http://www.amazon.com/s/ref=nb_sb_noss/177-9598798-5192365?url=searchalias%3Dstripbooks&field-keywords=kyriazoglou

John Kyriazoglou 2013

The author has asserted the rights of the author under the Copyright, Designs and Patents Act,
1988, to be identified as the author of this work.
This material may be used for educational purposes only at the University level, as long as the author and the
copyright message are noted.
For other uses kindly contact the author at:jkyriazoglou@hotmail.com

Slideshare special publication

First published in July 2013

Summary of Contents
This book, Audit Report: Model and Sample, contains a model of an audit report and a real
sample from an IT Audit assignment (data of client not disclosed for privacy and confidentiality
issues).
A FULL SAMPLE IS AVAILABLE AT:
https://flevy.com/browse/business-document/audit-report-model-and-sample-268

This has been used effectively in various types of internal and external audit assignments as well
as consulting assignments, especially in reviewing internal controls for all types of companies.
These types of audit include:
(1) Financial Auditing (also called statutory auditing), which involves reviewing the adequacy
of internal accounting controls of the organization in terms of accuracy, completeness and
validity of financial information, financial reports and of the underlying accounting systems and
records,
(2) Operational (Performance) Auditing, which includes reviewing the strategic and
operational performance of the whole organization or specific business processes or departments,
focusing on the efficiency and effectiveness of these processes and the associated management
controls,
(3) Compliance Auditing, which relates to reviews of compliance or conformity of the
organization with relevant legislation, regulations, standards, internal policies and guidelines,
and
(4) IT Systems Auditing, which pertains to reviews of effectiveness, accuracy and efficiency of
IT general (e.g., IT organization, administration, security, etc.) controls as well as the IT
application controls (e.g. accuracy of data and transactions processed and maintained of specific
corporate computerized application systems) related to information technology and
telecommunications systems, facilities and projects of the organization.
Other types of audits are: Follow-up audits, Investigating audits, Integrated audits, Quality
audits, ISO audits, Tax audits, IT Security audits, Continuous audits, Due Diligence Process
audits, etc.
The work of all these audits is carried out by Internal and External Auditors and Management
Consultants on the basis of an audit or evaluation strategy, a plan, and a methodology with
specific audit objectives, and with the assistance of audit programs, audit checklists, test
computerized application systems, and computer assisted audit tools and techniques, like
CAATTs, etc.
The objective of this book is to provide any business owner, company director, senior manager,
auditor, other stakeholder, etc., with a useful set of practical tools to assist and support them in
their business performance management system audit and implementation, using any
performance model (BSC, EFQM, Six Sigma, etc.).

AUDIT REPORT MODEL

<TITLE OF AUDIT>

Reference Number:

EXECUTIVE SUMMARY
1. Introduction

2. Objectives

3. Scope

4. Opinion

Issued:

5. Detailed Recommendations
5.1

Enter title of area reviewed or Risk

Rationale
Recommendation
Management Response

5.2

Enter title of area reviewed or Risk

Rationale
Recommendation
Management Response

5.3

Enter title of area reviewed or Risk

Rationale
Recommendation
Management Response

5.4

Enter title of area reviewed or Risk

Rationale
Recommendation
Management Response

MANAGEMENT ACTION PLAN

Report
Ref

Agreed Action

Responsibility for
Implementation

Implementatio
n Date

Status

IT Audit Report for Company ABCXZ (a fictitious entity)

This report is based on the Audit Report Model described previously in this book.
1. Scope of IT Audit Coverage
During this IT audit, as per the Internal Audit Annual Plan and further to the agreement with the
Audit Committee, we reviewed and evaluated the controls of the following areas of IT activities
of Company ABCXYZ (a fictitious private business entity or public organization).
These areas are:
(a) IT Organization,
(b) IT Administration,
(c) IT Strategy,
(d) Systems Development,
(e) IT Security,
(f) Data Center Operational and Support Services, and
(g) Systems Software.
The area of Enterprise Architecture and operating specific IT Applications in the data center or
in end user personal computers will not be examined. Also testing in a test environment with real
or dummy transactions, scanning the facility for eavesdropping devices, and security
penetration testing will not be undertaken.
The audit findings and recommendations per area audited, both in summary and in detail form,
are presented next.
2. Summary of Audit Findings and Recommendations
Our recommendations according to an audit priority scheme are presented next.
High priority means that these recommendations should be considered first for
implementation, because their impact level is deemed to be of the highest importance to the
specific IT operations.
Medium priority denotes that these may be examined for implementation next, as their impact
level may be important, but not as important as the impact level of High priority
recommendations.
Finally Low priority ones, does not mean that these should be disregarded all-together, but
may be implemented, as the last step.
IT management and other corporate officers (e.g., CEO, Compliance Officer, Risk Officer, Chief
Finance Officer, etc.) may change this priority, should they wish. The important thing here is to
set priorities and do what is right to rectify and improve the situation.

High priority recommendations

There are 11 audit recommendations of High priority value listed next. Each recommendation
number below is the recommendation number identified in the Detail Recommendations section
if this report.
No. 1: Formal IT Steering Committee required.
No. 2: Creation of a CIO Position required.
No. 6: Segregation of Duties of IT Personnel requires improvement.
No. 7: Formal IT Strategic Plan required.
No. 8: Application Systems Development Standards required.
No. 11: Formal IT Security Policy and related Procedures required.
No. 12: Access Controls on production elements by IT personnel require improvement.
No. 13: Password Controls require improvement.
No. 14: Computer Room Access Controls require improvement.
No. 16: IT Contingency and Disaster Recovery Plan required.
No. 19: Critical Forms require improved control.
Medium priority recommendations
There are 5 audit recommendations of Medium priority value listed next. Each
recommendation number below is the recommendation number identified in the Detail
Recommendations section if this report.
No. 9: Formal Application Testing Procedures required.
No. 10: End User Documentation requires improvement.
No. 15: Safe Off_Site Storage for Backups required.
No. 17: Personal Computers Policies and Procedures required.
No. 18: System Software Changes require improved control.
Low priority recommendations
There are 4 audit recommendations of Low priority value listed next. Each recommendation
number below is the recommendation number identified in the Detail Recommendations section
of this report.
No. 3: Job Descriptions need formalization.
No. 4: Vacation Policy needs to be made mandatory.
No. 5: Training of IT personnel requires improvement.
No. 20: Review of Logs may assist in problem solutions.

3. Analysis of Detail Audit Findings and Recommendations

The detail audit findings and recommendations are presented next, by IT area audited.
The IT areas audited are: IT Organization, IT Administration, IT Strategy, Systems
Development, Data Center Operations, Personal Computers, and Systems Software.

*3.1. IT Organization Area: Audit Findings and Recommendations

*3.2. IT Administration Area: Audit Findings and Recommendations
*3.3. IT Strategy Area: Audit Findings and Recommendations
*3. 6. Data Center Operations: Audit Findings and Recommendations
*3.7. Personal Computers: Audit Findings and Recommendations
*3.8. Systems Software Area: Audit Findings and Recommendations
*3.9. IT Applications Operation: Audit Findings and Recommendations

A FULL SAMPLE IS AVAILABLE AT:

https://flevy.com/browse/business-document/audit-report-model-and-sample-268